Windows 10 - Cheap At half The Price

Chronogical Blog Entries:

Date: Sat, 10 Dec 2016 14:48:22 +1100

Could the end times be near? The signs are inauspicious dear reader. We
have a reality TV clown about to assume the office of President of The United
States. Microsoft have got serious about their user security. And your humble
blogger endorses one of the their products. Yes, dear reader your blogger
found himself using Windows on a laptop. Even though your blogger regularly
uses Windows in the workplace, colleagues will be aware that he had a strict
policy of wall-to-wall Ubuntu clients on the humble network (PGTS). This is
because of the superior security model that Ubuntu clients employ. Well if it
is not the end times ... Perhaps it is the end of civilisation as we know it?

First Impressions

Recently your blogger had to start using a Windows 7 laptop. Your blogger
initially approached the device with some caution ... Well founded, as it
turned out ... It may not come as a big surprise that the laptop had, in fact,
been infected with "malware" ... It's a long story ... But the short version
is the previous owner had downloaded several "free" programs and had been
using an "Administrator" account to conduct routine activities.

Now without going into the long version of the story, your blogger really
did have a pressing need to use a Windows client, and so reluctantly decided
to remove the malware. ... How hard could it be? ... Read on for a brief
summary of this mini saga ...

The Windows 7 laptop had obviously been hacked. Searches were
automatically redirected to www-searching.com. And Windows Update would
not work.

Quite a bit of the advice about such malware suggests that one should
"uninstall" the unwanted software. However your blogger was not all that
enthusiastic about using an uninstall process which could possibly have been
provided or poisoned by the supplier of the malware, and instead opted for
manual deletion.

This was quite challenging because there were numerous points where
malicious software had been injected into the system:

Suspicious looking executables. These were mostly in
AppData/Local and in "Program Files (x86)". But some of them were in
isolated folders. It's possible to find these with a search using the
forfiles command with the /D and /S options, searching for "*.exe"
and ".dll" and redirecting the output to a plain text file and studying it
carefully.

Hacked /etc/hosts.
Something had hacked /etc/hosts with this line:

127.0.0.1 down.baidu2016.com

Suspicious looking registry entries. There were large
numbers of registry entries that were suspicious and obviously hacked. If
the correct settings were obvious they were corrected. Otherwise a google
search would usually reveal the correct settings. The registry in this
laptop had numerous versions of network configurations that had been
introduced and or hacked with the following primary and secondary DNS:

nameserver 82.163.143.176
nameserver 82.163.142.178

And there were many registry keys with www-searching.com and their
product called "Search Tool" (More about them later)

Suspicious looking programs in startup folder. There were
numerous programs in "startup" ... Most of them seemed unnecessary or
dubious. As a remedial action, all of them were disabled or removed.

Suspicious looking scheduled tasks. There were multiple
scheduled tasks that would launch at startup and/or login and/or regular
intervals. Many of them ran executables and .js scripts (which helped
identify more suspicious executables). Several of these mentioned the
infamous "search tool"

Suspicious looking services. There were several unknown
services. Google searches usually confirmed that they were potential
adware.

Browser configuration hacked Configuration settings in all
browsers, especially preferred search engine had been hacked. This was
tedious. Because each browser has its own specific set of instructions
(lots of Googling for configuration settings here). The desktop icons for
all browsers had also been hacked with www-searching.com
parameters, passed on the command line for launching the icon. This meant
that clicking on the icon took the browser directly to the Malware owner's
site, rather than starting up the browser cleanly.

The cleanup process was long and tedious ... For security reasons,
Internet searches and downloads (where necessary) were conducted on a separate
(Ubuntu) workstation ... Eventually tired and bleary-eyed, your humble blogger
managed to wrest back control of the browsers and Windows update was working
again. A large number of updates were downloaded and everything worked with
one exception (which worryingly was a security update --- More about this
later)

After this your blogger decided to upgrade to Windows 10, since there were
rumours of a new release of "Windows Defender", an upgraded version of an
anti-spyware product that had been released earlier for Windows 7. However
when Windows Defender was deployed (after the W10 update) it would only scan.
Windows Defender would not enter "real-time protection" mode because it
reported that there was another anti-virus program handling security.

This seemed odd (and troubling) since all Anti-Virus products including a
suspicious looking one called "OneSystemCare" (almost certainly malware), had
been removed prior to the W10 update. The update had retained existing apps
and data. A Google search revealed that Windows Defender would not run if it
detected "remnants" of a previous anti-virus program that had been "manually"
removed.

This was when your blogger made another disturbing discovery ... Existing
accounts had been cleaned up, but when a new local account was added, the
browsers were all hacked with the www-searching.com malware. A search
of the drive with findstr revealed that there were several files that
stored default settings that would be used in the initial setup of browsers
when the Desktop was created on first login. The hack had corrupted initial
settings for Firefox and Chrome, but Edge was not affected. Either because the
authors had not caught up with Edge at the time the malware was created, or
because Microsoft had since improved the security of Edge. (Although on
reflection ... The most likely reason is that Edge was installed with W10)

At this stage it seemd a complete cleanup process could easily take
several more hours and even then there was no guarantee that Windows defender
would work ... It might still think that there was something (remnants?)
already handling Anti-virus activities. It seemed to be an opportune to time
to "Call in the heat". Your blogger went googling for Windows anti-virus
software. Naturally there was a huge amount on offer. Windows, quite
deservedly, is famous for malware and there was a lot on offer ... But a lot
of it looked to be almost as nasty as the malware that your blogger wanted to
get rid of. A close inspection of the websites for any "free" anti-virus
product left your humble blogger feeling quite uneasy. The premium products
looked much better ... But generally after starting off with generous cheap
offers, most of them ended up being in the vicinity of $40 AUS per year. And
there was still the niggling doubt that the anti-virus products might have the
same problems that Windows Defender seemed to be having. (Although there is a
good chance that third party products would be less coy about blowing away
remnants of another Anti-virus product?)

Perhaps a strategic response rather than a tactical one was required?
There was an Advanced Startup option which offered to re-install Windows. A
lot of this seems to be a work-in-progress, so the location of the option may
change as Microsoft improve on it. At the time it seemed like an excellent
option ... A pre-emptive strike that would nuke everything ... True to its
word ... The advanced startup option completely erased the disk, all accounts
and all non-Microsoft programs, downloading and re-installing a brand new
default windows 10 operating system with no apps and no data ... Very
impressive! The basic network settings for the default user had been preserved
but there was good reason to be confident that they were ok.

The first program your blogger enabled on his now clean brand new windows
10 system was "Windows Defender".

Windows Defender seems to behave much like premium anti-virus programs
(which will probably make many of them concerned about their future business
model). Windows Defender downloads signatures regularly (from windows
updates). If real time protection is "on" (highly recommended), you must
confirm that it is ok to make any modifications and if you are not already
running as an Administrator (highly recommended that you do not) then you must
enter the administrator password in order to carry out the modification. This
is in the fact the default behavious of "proper" operating systems (such as
Mac OS and Ubuntu).

Conclusions

All in all, Windows 10 (with the Anniversary Update) is a truly
remarkable Microsoft Operating System. Remarkable because it is the first time
in Microsoft's long sad history that they seem to have taken their customer's
security seriously. Up until now all we have had is more BS about how security
is the responsibility of the user ... Blah, blah ... While malware author's
have feasted on the bloated body of unnecessary frills, eye-candy and
strategic corporate BS ... And the anti-virus industry has flourished along
with a shadowy under-world of faux anti-malware providers that are in
all probability installing more malware ... Windows 10 appears like a light at
the end of a long tunnel ... Let's just hope that is not the headlight of an
oncoming train!

The Windows 10 interface is pared-down, minimalist and despite the amount
of back-chat to Microsoft (for security and advertising) it is quite
responsive. The browser that Microsoft supply, Edge, seems to be a browser
that, apart from a little too much advertising, does not appear to try any
(obvious) "dirty tricks" and complies with generally accepted web standards.
The OS itself is a genuine 64-bit, genuine multi-user OS. There are many
improvements in security, most of them long over-due ... And now at last
Microsoft have produced their own Anti-Virus (AV) product. Your blogger
expects considerable FUD from shills spruiking the benefits of third party AV
products. But despite such in-house endorsements, competing with a product
embedded in the OS, getting almost daily updates from the company that created
the OS, seems like a big challenge for the AV industry. ... Already the price
of some of the premium AV products has decreased dramatically. This will
probably precipitate a race to the bottom that will shake out the entire
industry.

Microsoft getting serious about security was a necessary pre-condition to
them taking charge (and responsibility?) of the new multi-device platform that
they wish to roll out. It only took 30 years, dear reader ... Was it worth the
wait?

It also seems that this is paying off. W10 has established itself well in
the domestic market and is clearly leading W8 (no surprises there). However W7
now has such a well established base in the big end of town that it may hang
on to its market leader spot for some time. Also the big business corporate
sector has shown itself to be very slow to change (many of them are still
ridding themselves of XP and Server 2003). From the point of view of profits,
it seems easy enough to appreciate Microsoft's decision to withdraw the "free
upgrade" option for W7 and W8 users ... But from a strategic point of view it
remains puzzling why Microsoft don't bite the bullet and just offer
(especially W8) users an ongoing, no strings, free upgrade path to W10. W8
will not make significant gains in the big end of town and while it remains in
the marketplace it just reminds consumers of why Microsoft has a poor
reputation.

Those of you who know your humble blogger well will probably gasp in
astonishment at the next sentence ... Your blogger, after cutting himself a
large slice of humble pie and sitting in the corner and choking a little on
said hard cold slice, will admit that Windows 10 might be an acceptable choice
for someone contemplating a new computer. Provided you followed certain
precautions (more about this in a subsequent blog), Windows 10 could be
considered in the same class as real operating systems like Ubuntu, or Mac OS.

Who Are These Guys Anyway?

But this left your blogger wondering how a bunch of neer-do-wells like
those who run www-searching.com can do so with impunity. This criminal
enterprise is well resourced and there is evidence in Google of activity in
their current form, going back to January, 2015. And there is there some
evidence that the model they use goes back to October 2012. It's not as though
they are hiding their light under a bushel ... They are hanging out their
shingle proudly and a google search will take you straight there (albeit
Firefox does show search results with several inauspicious matches on the
first page). WARNING: If you use an older Windows computer that does
not have a legitimate up-to date anti malware app then you should not go
anywhere near this site! ... Or maybe it doesn't matter? Your computer may be
so wormy and infected by now that it won't really matter? ... Nevertheless
despite this nefarious activity, www-searching.com are still up on the
net using a server farm hosted by Amazon Web Services (AWS). They use multiple
DNS entries which cycle through different IP addresses on a regular basis.
Your blogger went to check the site for the DNS hosting service for AWS
(MarkMonitor.com), and observed the following slick flashing slogans slipping
past on the screen.

Great brands trust us to help them fight online counterfeiting and
piracy

Now you can have visibility into the Dark Web. Introducing MarkMonitor
Dark Web and Cyber Intelligence

The last one brought a wry smile to your bloggers humble lips ... Yes, AWS
is indeed giving unwary Windows users a very thorough introduction to the Dark
Web by hosting the www-searching.com scumbags. But after all this time,
what is their excuse? Is it ignorance or do they just not care? ... As long as
they get their money?

There are also serious questions about the domain
privacyprotect.org which has registered the www-searching.com
domain. They state that they will not respond to mail sent to their purported
registered address: PO Box 16, Nobby Beach, QLD 4218 (Australia). This seems
suspicious enough. However the fact that they use their very own dubious
services to register their own identity is circuitous, self-referential and
would be laughable if it wasn't so clearly shady and most likely a front for
scammers and criminals.

The address in Queensland was originally started up by an organisation
called HotSnail, which offers an email forwarding service. Each account number
should be quoted before the PO box number. When ordinary mail arrives, if the
account number is valid, HotSnail will then scan and forward it to the account
holder via email. HotSnail do have a valid address, and the owner claims that
privacyprotect.org no longer have a valid account with HotSmail ...
Which means that the address listed in the registry entry for
privacyprotect.org is not just shady ... It is false.

Digging a little deeper into this cesspit reveals that
privacyprotect.org is registered by an organisation called
publicdomainregistry.com (PDR), with a genuine whois entry and an
official looking website. So there are questions here for AWS and the
(supposed legitimate) registrant PDR ... Why do they both continue to be
complicit in the hosting of www-searching.com? And while they might
claim that they are not responsible for the content provided by the
organisations they provide services for, surely they have some duty to make
sure that the details provided by the registered party are true and accurate?
Also it seems that Google and Mozilla are not really doing much ... While it
is true that the problem is entirely a Microsoft problem and the response from
Microsoft although welcome has been glacial, this particular malware targets
Chrome and Firefox browsers, and both Google and Firefox could have done more
to counter the growth of www-searching.com and their scammer buddies.

While it is good to see Microsoft finally making genuine endeavours to
improve the security of their operating system, nothing has been done about
the brazen deployment of the malware platform and the fake identities they
used to to register their organisation. Your blogger must confess that, once
again, another wry smile crossed his face when he discovered that now after
several years of egregious malware deployment, there may be some scrutiny of
these organisations, not because of their criminal activities in the area of
computer exploits, but because there are hints that extreme Islamic groups may
be using the fake DNS entry service to hide their identities.